DMZ question

If you need to access the inside from the DMZ and viceversa please try the following:

static (inside,dmz) 192.168.10.0 192.168.10.0 netmask 255.255.255.0

So when users in the inside access the DMZ they are going to use the same ip address

Please accept my apologies..i should have gave more explanation.

I am going to have a software vendor vpn to a host on the dmz. They are going to be saving data on that host.

I need access to retrieve the data, but do not want the the people that have access to the DMZ to be able to get to the inside network. They should only be able to access the 1 dmz host.

Does this clear things up? Sorry for not explaining more sooner.

Is there a particular port they need to get to on the dmz machine?

not really, i guess whatever port the vpn uses.

im sending them a preconfigured cisco vpn client install package that will set everything up for them. It's already been tested and working.

We are doing this because these people work for the gov. and are placing very sensitive data on this dmz server. Nobody else will have access to it except for this group of people. They are not vpn'ing to the inside, i will set the vpn up on the dmz int to only translate the one ip of the host in the dmz.

once the copy the data over, i am going to copy it from that server to the inside where we do our thing.

let me know if you need anymore info..

thanks for your help

You could do it only for one host

static (inside,dmz) 192.168.10.3 192.168.10.3 netmask 255.255.255.255

that does what for the one host?
 

As you can see by the config, the host in the dmz is 10.0.0.5 on the 10.0 network
the inside network is a 192.168. network.

if your statement adds a static route, won't information be able to pass both ways?

I only want it to pass 1 way. which is me going out to get it. i don't want traffic permitted that originates from the dmz

Caribeantech has it right. Traffic cannot come the other way as DMZ is on a lower security level and you would need to put permit statements in

Ok, so if they are coming from the outside an you need them to access a server on the DMZ, is this correct?

Yes. they are coming from the outside, they will access a host on the dmz

Is it possible to set the vpn up on the dmz interface or do i have to set it up on the outside interface?

By default, traffic can not pass automatically from an interface with a low security level to an interface with a higher level.  outside cannot get automatically to dmz or inside as they both have a security level higher than zero. dmz cannot get to inside as dmz is 99 and inside is 100.

To allow the traffic you use permit and static statements to pass the required traffic to the higher security interfaces.
For outgoing taffic, traffic CAN flow automatically out to lower security interfaces until an access-list is applied to that interface.

So, if i just do the vpn wizard, can i say enable the vpn on the dmz int or do i have to say the outside?

yeah...i got the whole thing about the sec levels....i was just wondering what the the actual command was...

this is what confused me: static (inside,dmz) 192.168.10.3 192.168.10.3 netmask 255.255.255.255

After this statement, i asked what this does. i just need to know what the route statement i need looks like...

right now I cant access the 10.0.0.5 box by \\10.0.0.5 from the inside (192.168) network

So is this what i add?

static (inside,dmz) 10.0.0.5 10.0.0.5 netmask 255.255.255.255

to be able to gain access to the dmz?

Just so we're on the same page...i understand that by adding this statement, i am permitting traffic to go into the dmz to that one host.
and traffic cannot originate from dmz make it to the inside w/o a permitting acl.

To initiated traffic from the dmz you would need to add:

static (dmz,inside) 10.0.0.5 10.0.0.5 netmask 255.255.255.255

and also create a access-list

access-list DMZ_In permit tcp host 10.0.0.5 host 192.168.10.3
access-group DMZ_In in interface DMZ

Hope this helps!

lol,

You want to get to to 10.0.0.5 from a box on the inside 192.168.x.y, using http. yes?

Firstly, do devices on the 192.168 network know where the 10.0.0.5 box is?  ie is the default gateway of the internal pc's pointing at the internal pix interface?

Yes. i know, im hilariously dumb.....

j/k....yes...nobody on the inside needs to see the dmz, just me. So, yes, all pc's internally have DG of pix inside int. so, no hosts know of the dmz.

not using http. by using windows explorer, \\10.0.0.5\share  copy data from there to someplace on the inside. like \\insideserver\share

Just to reitterate:
I am going to have a software vendor vpn to a host on the dmz. They are going to be saving data on that host.

I need access to retrieve the data, but do not want the DMZ originating traffic permitted to the inside network. They should only be able to access the 1 dmz host.

In other words, just because they can vpn to this host in the dmz, i don't want any chances or open doors to the inside.

I ONLY want to access DMZ from Inside - Not vice-versa.


the access-list permits dmz traffic to the inside, which i do not want. unless this is the only way it can be done.

if it is, i will just have to enable the access-group to get the data, then say no access-group when im done getting the data.

Do you see what I'm saying or am i over confusing the issue?

If you only want to access DMZ from inside do the following:

global (dmz) 10 interface

Users from inside will be able to access the DMZ not vice-versa

Hope this helps!

carribeantech - GLAD TO SEE YOU BACK AROUND!

Thanks lrmoore

I added the global command, however, it is still not working. Do I need to remove one of the earlier route statements?

just as fyi i removed the DMZ_In access-list and access-group association.

Here is the new config:
sh run
: Saved
:
PIX Version 6.3(5)
interface ethernet0 100full
interface ethernet1 100full
interface ethernet2 100full
nameif ethernet0 outside security0
nameif ethernet1 inside security100
nameif ethernet2 DMZ security99
enable password 5sXG9pKeLp9nI1Wd40K encrypted
passwd 25sXG9p1AgVgKeLp9nI1W0K2KYOU encrypted
hostname PixFirewall
domain-name brainstate.local
fixup protocol dns maximum-length 512
fixup protocol ftp 21
fixup protocol h323 h225 1720
fixup protocol h323 ras 1718-1719
fixup protocol http 80
fixup protocol rsh 514
fixup protocol rtsp 554
fixup protocol sip 5060
fixup protocol sip udp 5060
fixup protocol skinny 2000
no fixup protocol smtp 25
fixup protocol sqlnet 1521
fixup protocol tftp 69
names
name 192.168.10.2 exchsvr
access-list Outside_In permit tcp any host 67.93.x.x eq https
access-list Outside_In permit tcp any host 67.93.x.x eq 444
access-list Outside_In permit tcp any host 67.93.x.x eq smtp
access-list Outside_In permit tcp any host 67.93.x.x eq 3389
access-list Outside_In permit tcp any host 67.93.x.x eq 4125
access-list Outside_In permit tcp any host 67.93.x.x eq pptp
access-list Outside_In permit icmp any any echo-reply
access-list Outside_In permit icmp any any time-exceeded
access-list Outside_In permit icmp any any unreachable
access-list bstvpn_splitTunnelAcl permit ip 192.168.10.0 255.255.255.0 any
access-list inside_outbound_nat0_acl permit ip any 192.168.50.0 255.255.255.0
access-list outside_cryptomap_dyn_20 permit ip any 192.168.50.0 255.255.255.0
pager lines 24
icmp deny any outside
icmp permit any inside
mtu outside 1500
mtu inside 1500
mtu DMZ 1500
ip address outside 67.93.x.x 255.255.255.224
ip address inside 192.168.10.1 255.255.255.0
ip address DMZ 10.0.0.1 255.0.0.0
ip audit info action alarm
ip audit attack action alarm
ip local pool bstvpnpool 192.168.50.1-192.168.50.254
failover
failover timeout 0:00:00
failover poll 7
failover ip address outside 67.93.x.x
failover ip address inside 192.168.10.13
failover ip address DMZ 10.0.0.2
pdm location exchsvr 255.255.255.255 inside
pdm logging informational 100
pdm history enable
arp timeout 14400
global (outside) 10 interface
global (DMZ) 10 interface
nat (inside) 0 access-list inside_outbound_nat0_acl
nat (inside) 10 0.0.0.0 0.0.0.0 0 0
static (inside,outside) tcp 67.93.x.x https exchsvr https netmask 255.255.255.255 0 0
static (inside,outside) tcp 67.93.x.x 444 exchsvr 444 netmask 255.255.255.255 0 0
static (inside,outside) tcp 67.93.x.x smtp exchsvr smtp netmask 255.255.255.255 0 0
static (inside,outside) tcp 67.93.x.x 3389 exchsvr 3389 netmask 255.255.255.255 0 0
static (inside,outside) tcp 67.93.x.x 4125 exchsvr 4125 netmask 255.255.255.255 0 0
static (inside,outside) tcp 67.93.x.x pptp exchsvr pptp netmask 255.255.255.255 0 0
static (inside,DMZ) 192.168.10.0 192.168.10.0 netmask 255.255.255.0 0 0
static (DMZ,inside) 10.0.0.0 10.0.0.0 netmask 255.0.0.0 0 0
access-group Outside_In in interface outside
route outside 0.0.0.0 0.0.0.0 67.93.x.x 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h225 1:00:00
timeout h323 0:05:00 mgcp 0:05:00 sip 0:30:00 sip_media 0:02:00
timeout sip-disconnect 0:02:00 sip-invite 0:03:00
timeout uauth 0:05:00 absolute
aaa-server TACACS+ protocol tacacs+
aaa-server TACACS+ max-failed-attempts 3
aaa-server TACACS+ deadtime 10
aaa-server RADIUS protocol radius
aaa-server RADIUS max-failed-attempts 3
aaa-server RADIUS deadtime 10
aaa-server LOCAL protocol local
http server enable
http 192.168.10.0 255.255.255.0 inside
no snmp-server location
no snmp-server contact
snmp-server community public
no snmp-server enable traps
tftp-server inside 192.168.10.49 /c:\TFTP-Root\
floodguard enable
sysopt connection permit-ipsec
crypto ipsec transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac
crypto dynamic-map outside_dyn_map 20 match address outside_cryptomap_dyn_20
crypto dynamic-map outside_dyn_map 20 set transform-set ESP-3DES-MD5
crypto map outside_map 65535 ipsec-isakmp dynamic outside_dyn_map
crypto map outside_map interface outside
isakmp enable outside
isakmp nat-traversal 20
isakmp policy 20 authentication pre-share
isakmp policy 20 encryption 3des
isakmp policy 20 hash md5
isakmp policy 20 group 2
isakmp policy 20 lifetime 86400
vpngroup bstvpn address-pool bstvpnpool
vpngroup bstvpn dns-server exchsvr 65.106.1.196
vpngroup bstvpn wins-server exchsvr 192.168.10.11
vpngroup bstvpn default-domain brainstate.local
vpngroup bstvpn split-tunnel bstvpn_splitTunnelAcl
vpngroup bstvpn idle-time 1800
vpngroup bstvpn password ********
telnet 192.168.10.0 255.255.255.0 inside
telnet timeout 10
ssh timeout 5
console timeout 0
username brainstate password 5sXG9p1AgVgKeLp9nI1W0K encrypted privilege 15
terminal width 80
banner motd Brain State Technologies Security Message - Terms of Use
banner motd
banner motd The Brain State Technologies computer system is RESTRICTED to official business by authorized users only. Unauthorized entry is prohibited by law and subject to prosecution. All activities and access attempts are monitored and logged for auditing.
banner motd
banner motd Use of this system is your consent to the current Terms of Use. If you are not authorized to use this system, or do not agree to the current Terms of Use, please exit now.
Cryptochecksum:2119a1103d6372d369bf02ac09f2c88f
: end

 PixFirewall#

Please try the following:

no static (inside,DMZ) 192.168.10.0 192.168.10.0 netmask 255.255.255.0 0 0
no static (DMZ,inside) 10.0.0.0 10.0.0.0 netmask 255.0.0.0 0 0
clear xlate  //this will delete all connections
clear local

I did that, and am still unable to ping 10.0.0.5 from my desk (192.168.10.49)

the only time i have been able to accomplish this feat is when i added the access-list. Why is that?

everything you guys have said about the routes and the security levels all makes sense.....so i don't know why i am having such a hard time with this...as you can tell by the config, i am new to the pix, but have accomplished a lot of things as far as getting it to do what i want....don't know why this is so much trouble though.

Here's my new 'sh route':

PixFirewall#  sh route
        outside 0.0.0.0 0.0.0.0 67.93.55.161 1 OTHER static
        DMZ 10.0.0.0 255.0.0.0 10.0.0.1 1 CONNECT static
        outside 67.93.55.160 255.255.255.224 67.93.55.162 1 CONNECT static
        inside 192.168.10.0 255.255.255.0 192.168.10.1 1 CONNECT static

any more suggestions? lmoore could you lend a moment of your wizardry?

if you issue a "show xlate"

do you see the translation for 192.168.10.49 to 10.0.0.2?

also try to issue the following command:

clear icmp

Please try and let us know

Try adding this:
fixup protocol icmp error

If that doesn't work, consider upgrading the PIX to 7.x which has a new inspect icmp so that you don't have to create an acl on the dmz interface.

Else, you have to create an acl on the DMZ interface that allow icmp, plus everything else:
 access-list DMZ_OUT permit ip any any
 access-group DMZ_OUT in interface DMZ

No, there is no translation to the 10.0.0.x

i did the clear icmp too

still can't talk to the dmz side.

Ok, so what about all the stuff earlier that says i should be able to access it(dmz) because it's on a lower security level, but not vice versa. Which would take care of my problem if it would work. So, the access-list i allow in from the dmz, will that permit all traffic?

My goal is to not permit any traffic originating from the dmz side. i will permit all other traffic into the dmz. but not from DMZ to Inside.

Is this possible without upgrading IOS?

This is very odd, please try the following:

no global (DMZ) 10 interface
static (inside,DMZ) 192.168.10.49 192.168.10.49 netmask 255.255.255.255
clear xlate
clear local


Try to connect
Then issue "show xlate"

 

You can do all that you want -except use icmp to ping anything in the DMZ.
Try accessing a web server, pop server, dns server, ftp server, anything that uses any other protocol except icmp.

Assuming that you've removed the two statics as recommended above, What you have left is all you need:
global (DMZ) 10 interface
nat (inside) 10 0.0.0.0 0.0.0.0 0 0

weird, because with what i have left, besides doing ping, i am still unable to access the server by \\10.0.0.5

it can't find the host.

I was able to do this with an access-list earlier but that was comprimising security by allowing traffic from the dmz to flow into the inside. which we dont want.

Is there an access-list that will permit only traffic that originated from the inside? and block all traffic that originates from the outside?

I will post another question if needed. Let me know

Thank you very much for your help carribeantech and lmoore. i really appreciate all your help. Thanks a bunch.

after doing this:
no global (DMZ) 10 interface
static (inside,DMZ) 192.168.10.49 192.168.10.49 netmask 255.255.255.255
clear xlate
clear local

the only trans i see in there for me is this : PAT Global 67.93.xx.xx(5606) Local 192.168.10.49(4136)

what is weird, is that i had a hell of a time trying to get the vpn up and running, there are times when i make a change, and it doesn't reflect in the sh run. There have been times when i set aes-256 encryption and the sh run displayed a des. I got so tired with it i deleted everything rebooted and tried it with 3des. now it works, but there are weird things like that that happen all the time with this pix.

have you ever heard of any problems like this before or similar things happening when using pdm? Is this a sign  we need to re-flash or something? we are running Version 6.3(5) - is this a buggy version? please let me know. thanks again.

Brilliant! I add a lmhost file to my pc and viola! i can access it. Thanks a bunch. My next question will be regarding the length of time it takes to access that server from  the vpn. Thanks again!!!!!!!!!!!!!!!